ACL should apply allow first when default action is allow

[stgraber]

Currently when applying ACLs, Incus will first apply all drop/reject, then apply the allow rules and finally the policy which defaults to reject.

That's a good order for this particular case as it allows having wide allow rules with narrow reject/drop rules to block a subset of what's allowed, then the policy rejects the rest.

But this apply order isn't a good fit when the default policy is allow as in that situation one would likely have pretty broad reject/drop rules and so want the allow rules applied first to allow a subset of what would otherwise be denied by broader reject/drop rules.

So we should change our default apply order to match, basically reversing the order if the default action is allow.

[AbhinavTiruvee]

@stgraber Hi, I'm part of a group at UT Austin taking a class on virtualization. Could my partner and I take a look at this issue and try to solve it?

[stgraber]

Done.

You're going to want to set up Incus with OVN locally. There is some documentation for that in https://linuxcontainers.org/incus/docs/main/howto/network_ovn_setup/.

You should then be able to reproduce the current (wrong) behavior by:

• Creating an ACL that:
  • Allows connecting to 1.1.1.1
  • Blocks connecting to 1.1.1.0/24
• Apply the ACL to an instance
• Set the default action for the ACL to allow

Normally you'd expect this setup to allow talking to 1.1.1.1, but because we currently apply the drop/reject ahead of the allow rules, you'll find that 1.1.1.1 won't be allowed due to the 1.1.1.0/24 reject rule.

Once the issue is fixed, the same setup should allow pinging 1.1.1.1 but reject pinging 1.1.1.2.